The SolarWinds breach brought a dangerous attack vector to the fore, but supply chain attacks are far from a new phenomenon
In December 2020, with much of the world distracted by a Covid-19 resurgence and the aftermath of the US presidential election, security researchers were busy tracking a new malware campaign – UNC2452 – which had grave implications for cybersecurity in the western world.
Subsequently linked with Russian state-sponsored cybercrime gang APT29 (or Cozy Bear) the attack ‘trojanized’ software updates to Orion, an IT monitoring and management application from SolarWinds.
Researchers from FireEye, the campaign’s first high-profile victim, discovered that hackers had turned part of Orion into a back door that communicated with third-party servers. FireEye named the Trojanized plug-in – a standard Windows installer patch file – ‘SUNBURST’.
Within days, dozens of global businesses and government departments were reporting Sunburst infections, including Microsoft and the US Department of Homeland Security.
Sunburst delivered multiple payloads, with some launching Cobalt Strike Beacon via the Teardrop loader. According to FireEye, “post compromise activity following this supply chain compromise has included lateral movement and data theft”.
More worrying still, the Sunburst trojan first started to infect networks potentially as far back as March 2020.
The world had just witnessed its largest ever software supply chain attack.
What is a software supply chain attack?
A software supply chain attack happens when hackers manipulate the code in third-party software components in order to compromise the ‘downstream’ applications that use them.
Attackers leverage compromised software to steal data, corrupt targeted systems, or to gain access to other parts of the victim’s network through lateral movement.
The 2013 attack against US retail giant Target is perhaps the best-known example of lateral movement. Hackers compromised systems at Target’s heating and ventilation supplier, then used the application’s trusted status to gain access to the retailer’s sensitive data.
Any other ‘upstream’ part of an organization’s supply chain can be thus targeted, including application developers, publishers of off-the-shelf software like SolarWinds, API providers, and the open source community.
“In a software supply chain attack, a malicious actor targets an organization or individual by compromising the most insecure element of their software supply chain,” Paolo Passeri, cyber intelligence principal at Netskope, told The Daily Swig.
“The attackers tamper with the development process of the software to inject a malicious component, such as a remote access tool, that will let them establish a foothold into the targeted organisation or individual.”
SolarWinds revealed it was hit by a high-profile supply chain attack in December 2020
Recent supply chain attacks
- Dependency confusion, 2021 – A security researcher breached systems belonging to the likes of Microsoft, Apple, Uber, and Tesla using a novel attack technique. Leveraging dependency/namespace confusion, Alex Birsan successfully sent counterfeit (but benign) packages downstream to dozens of high-profile targets with no social engineering required.
- Mimecast, 2021 – Cloud security firm Mimecast reported that attackers had compromised a certificate used by the vendor to authenticate its services on Microsoft 365 Exchange Web Services. Around 10% of Mimecast customers use applications that rely on the compromised certificate, but Mimecast said that only a handful were affected.
- SolarWinds, 2020 – The most far-reaching supply chain attack yet stemmed from a backdoor, SUNBURST, which was injected into the Orion IT management application’s update tool. In filings to the SEC, SolarWinds said 18,000 customers had downloaded the backdoor. Microsoft, in turn, notified 40 customers of the attack.
- ASUS, 2018 – An attack dubbed ShadowHammer targeted owners of ASUS computers in 2018. Researchers at Symantec believe the attack, which saw malware delivered via ASUS’ automatic update feature, ran from June to October and affected up to 500,000 systems. Other vendors might also have been affected.
- event-stream, 2018 – A 2018 attack on a GitHub repository in which malware was injected into the disused flatmap-stream dependency, which was part of event-stream. The number of applications that pulled the compromised dependency into their code remains unknown.
What makes supply chain attacks so dangerous?
It’s a daunting problem to tackle.
“From the evidence we’ve seen from the recent SolarWinds attack, IT security teams have a limited grasp of the risks posed by software supply chains,” Kevin Bocek, VP security strategy and threat intelligence, Venafi, told The Daily Swig.
Modern software is invariably built from readymade components: proprietary code, open source components, and third-party APIs. No one developer can build a modern application on their own, and software reuse is the norm.
Writing before the SolarWinds attack, GitHub security researcher Maya Kaczorowski cited data suggesting that 85-97% of enterprise software codebases come from open source components. The average project now has 203 dependences, according to GitHub’s State of the Octoverse survey.
But while code reuse simplifies and accelerates application development, it creates some very serious security problems – not least the fact that compromised off-the-shelf components can leave countless organizations vulnerable to attack.
Vendors of software components “serve multiple customers, so if their systems are compromised, it’s a much wider issue”, Scott Nicholson, director at security advisors Bridewell Consulting, told The Daily Swig.
“Many organisations are complacent about supply chain risks – our recent research showed less than one fifth (18%) of critical national infrastructure organisations viewed third-party suppliers and partners as the biggest risk to their organization.”
Although supply chain attacks have been around for some time – some researchers claim since the 1980s – many CISOs are only now becoming aware of the gravity of the threat, especially to enterprise applications.
“We are becoming much more aware of it,” Professor Yehuda Lindell, security researcher and co-founder of Unbound Tech, told The Daily Swig.
“We have seen quite a few [incidents] in the not-too-distant past: SolarWinds, Mimecast, ASUS, where attackers managed to sign a legitimate key on malicious version of firmware infecting millions of computers.” It is, he warns, a “very effective attack vector”, not least because hackers can compromise a wide range of organisations in one hit.
Software supply chain attacks are a persistent threat to organizations of all sizes
Software versus hardware supply chain attacks
Whether it’s routers, servers, IoT devices, or mobile phones, hardware manufacturers also outsource the provision of certain components to a myriad of organizations and, like, software developers, often have limited visibility of the security risks this incurs.
According to Microsoft, hardware and its firmware is harder to tamper with than software, since it requires either interception while devices or their parts are en route to the factory, or factory floor manipulation. But the consequences can be serious.
Once achieved, malicious changes are “extremely difficult to detect and fix, giving the perpetrator long-term access”, says Microsoft, not least because “because they bypass traditional software-based security detection tools”.
Can you prevent or mitigate supply chain attacks?
At the technical level, increasing security awareness among DevOps teams is the first and – many experts argue – most critical step.
Teams need to incorporate security into the entire development process, have a comprehensive map of the dependences used by their applications, be alert to vulnerability disclosures, and have a robust system for patching security bugs.
Project leaders could also look at software bills of materials (SBOMs) to track components, and audit their own controls to keep software secure.
The runtime application self-protection (RASP) tool, meanwhile, is now recommended by NIST as a means to mitigate software supply chain vulnerabilities.
Firms should also consider using application scanning tools (both SAST and DAST) to receive early warnings of communication between their applications and command and control servers.
Tips for bolstering software supply chains
- Audit unapproved ‘shadow IT’ infrastructure and remove outdated or redundant systems
- Create an effective software asset inventory and keep it up to date
- Speak to suppliers’ CISOs during purchase negotiations to assess the vendor’s security posture
- Map and test key services, and assess the ability to restore or replace them in the event of a security breach
- Treat validation of supplier risk as an ongoing process, not a one-off
- Consider RASP and other client-side protection tools
Sources: Immuniweb, Unbound Tech, PA Consulting, Netskope, Imperva, Tanium
Organizations should also tighten up their software acquisition strategies. IT departments, which often rely on questionnaires and vendor self-certification to perform due diligence, should also consider audits, source code reviews and penetration testing – more robust, if costlier, alternatives.
Professor Yehuda Lindell recounts how he rejected a potential SaaS supplier when, after requesting its pen test results, he discovered that it had only fixed the most serious vulnerability among several unearthed.
More organizations should follow this lead, suggests Elliot Rose, head of cybersecurity at PA Consulting.
“Many organisations recognize that they need to put in place continuous monitoring and assessment of critical third parties,” Rose told The Daily Swig.
“This is not easy but is increasingly necessary, and there are new tools and approaches available to ease the burden.”
Monitoring supply chain risk is now a requirement for many regulators, including the UK’s Financial Conduct Authority.
As well as being discerning when sourcing new suppliers, organizations should close down redundant infrastructure.
“People have shadow IT or abandoned servers, systems, or applications accessible from the internet for a variety of reasons, whether it is [down to] human negligence, carelessness, or forgetfulness,” Ilia Kolochenko, CEO of ImmuniWeb, told The Daily Swig.
And CIOs should move away from blindly trusting the software they buy, build, and use.
This means limiting the number of applications with access to critical systems, restricting their ability to move laterally across the network, and continuously monitoring systems so they can act quickly if attacked.
It can be difficult to prevent supply chain attacks, but there are some mitigating steps organizations can take
“Supply chains work based on trust,” Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), told The Daily Swig.
“If a business can’t honestly answer the question of what code they’re dependent on for every piece of software in their business, be it commercial, open source, free, firmware, cloud or mobile, then they have gaps in their patch management process.”
Sharat Ganesh, technical director at Tanium, agrees.
“Customers should continuously validate and mitigate their own vulnerabilities in open source software components in their environment,” he told The Daily Swig.
“They can then make an objective, data-driven assessment of acceptable risk of installing a third-party software product in their production environment.”
The software supply chain, he says, is a “chain of trust”. The SolarWinds attack has revealed why that trust should not be granted lightly.